I'd like to display all sourcetypes available for each index in my environment. Unfortunately, metadata type=sourcetypes doesn't preserve the index name, and I want to be able to run it on the entire set of indexes on whatever instance the search runs on (i.e. I don't want to hardcode index=a OR index=b, etc, into the search). I tried getting fancy:
| rest /services/data/indexes | rex field=id mode=sed "s/.\/(\w+)$/\1/" | search id!="_" | fields id | map search="|metadata type=sourcetypes index=$id$ | stats list(sourcetype) as sourcetype | eval whereFrom=$id$ | table sourcetype whereFrom"
earliest=-5m@m latest=@m index=*|dedup sourcetype|table index sourcetype
You can increase the timerange to one hour and try it. It will just take extra time to give you the result. Will depend on your splunk environment on how much time it will take for search to complete
Understood, but my indexes are huge. I would prefer not to search the data itself if I can avoid it--this is the kind of problem that metadata should solve.
do you have to do this search against "All Time" ? i tried running it and got completely different results when searching ALL Time vs 15 minutes.
This REST search works great, and it is fast, too. I lists all sourcetypes by index and the associated event count:
|rest /services/data/indexes count=0 | dedup title | fields title | map [|metadata type=sourcetypes index="$title$" | eval type="$title$"] maxsearches=1000 | stats values(totalCount) AS EventCount values(sourcetype) AS Sourcetype by type | rename type as index | fields index Sourcetype EventCount